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Abstract 

In this paper, we present a new application for (") oblivious transfer, which is an interactive protocol 
between two parties Alice and Bob, where Alice has n secrets and Bob has a query i. At the end of 
the protocol Bob has the ith secret and no other information about Alice's other secrets, while Alice 
does not get any information about i. This new application is the Secure Database Access problem. 
Motivated by this application, we propose an OT scheme which achieves low communication complexity 
and information theoretic security. 

We use a distributed model for ("J oblivious transfer, where Bob interacts with multiple "Alices". In 
this model, we base our scheme on any PIR scheme, which is a scheme where only the privacy of Bob is 
considered, and use it to construct an OT scheme, private for both parties, without paying too much in 
communication complexity. This results in the first sublinear information theoretic scheme for ("J OT. 

Further motivated by the application of ("J OT for polynomial n, we raise the issue of repetition 
in ("J OT, where both security and efficiency are important. We show that previous protocols for ("J 
oblivious transfer fail in this setting. 



* yael@theory.lcs.mit .edu 
Ual@theory.lcs.mit.edu 



1 Introduction 

(") oblivious transfer (OT) is an interactive protocol between two parties Alice and Bob, where Alice has n 
secret bits and Bob has a query i. At the end of the protocol Bob has the ith secret and no other information 
about Alice's other secrets, while Alice does not get any information about i. Previously, Oblivious Transfer 
has been proven to be a very important cryptographic primitive for applications such as secret exchange, 
contract signing, and non-interactive zero knowledge proofs for NP, to name a few [17, 12, 15, 8]. Given the 
nature of these applications, the (") oblivious transfer protocol has always been used as a primitive within 
a larger two party or multi party computation, where n of a constant size was sufficient. 

In this paper, we offer a new Aired application of (") oblivious transfer in which the number of secrets n 
is polynomial. This application is the Secure Database Access problem, which involves a user who queries a 
database for the value in some location i, such that the database does not learn anything about the user's 
query i, and the user does not learn anything about the database except for the value in a single location i. 
This problem is equivalent to the (") OT problem. 

The problem of secure database access, where security of both the user and database is considered, is a 
very natural problem, that arises in practice. For example, consider an investor who decides on a stock based 
on information he receives from a database containing stock information. In this scenario, it is likely that 
the user wishes to keep his choice of stock, or query, secret while the database would like to keep the stock 
information private to itself, except for the particular stock that the user has paid for. Clearly, security of 
both should be maintained. 

Having this application in mind, we are faced with a new problem in (") OT that non of the existing 
implementations address: reducing the cost of communication complexity, or the total amount of bits trans- 
ferred between Alice and Bob, as n grows. Moreover, we want to achieve information theoretical security for 
both sides. In order to achieve these goals, we use a distributed model for (") OT, where the user interacts 
with multiple secret holders who do not communicate with each other. 

Previous Work 

A naive solution to the Secure Database Access problem would be to use an already existing (") OT protocol, 
such as [9, 14]. However, these protocols rely on cryptographic assumptions and their communication com- 
plexity is at least £!(n, k) where k is a security parameter. In contrast, our goals are to achieves information 
theoretic results and a communication complexity which is sublinear in n. 

Schemes that reduce the communication complexity were introduced for the Private Information Re- 
trieval problem [11, 2], in which the user's query is protected by information theoretic security. This work 
achieved sublinear communication complexity by using a multi database model in which a constant number 
of databases rather than a single database are used. However, it does not achieve privacy for the database's 
information, since the user can get additional information about the database, other than the value in a 
single location. Here, we show how data privacy can be added to any PIR protocol without paying too much 
in communication complexity. 

Another protocol called Instance Hiding [3, 4] allows for information theoretic security for both the user 
and the database, in a model where the database size n is exponential, and the number of databases needed 
is logarithmic. In contrast, here we consider n to be feasible (following the PIR model [11]), which allows us 
to achieve those results for a constant number of databases. 

[7, 16] show that any two party protocol can be achieved in the two-prover IP model without cryptographic 
assumptions, which implies a distributed model for (-J OT achieving information theoretic security. Although 
known reductions between (j OT and (") OT exist ([8, 12]), they cost a high price in communication 
complexity, and thus cannot be used to convert the [7] (j OT protocol into a sublinear (") OT protocol. 

Our Contribution 

• We show a direct application for (") OT - the Secure Database Access problem. This is the first application 
where n is polynomial. This motivates a new range of problems in (") OT, such as sublinear communication 
complexity, and repetitive OT (see below). 



• We suggest a new model for OT - distributed (™) OT, where n is polynomial, and there are multiple secret 
holders. This allows us to achieve the following properties: 

• We show an efficient (™) OT, using sublinear communication complexity. Specifically, starting from 
any private information retrieval protocol for constant k databases, we show a secure database access 
(equivalently, (™) oblivious transfer) protocol for k + 2 databases ("secret holders"), paying at most a 
logarithmic factor in communication complexity. 

For example, for k = 2, since currently the best known PIR protocol [2, 11] uses 0(n~ ) communication, 
our scheme uses 0(n 1 ' 3 logn) communication. The same scheme can be used to achieve polylogarith- 
mic communication complexity for a logarithmic number of databases. If we allow computational 
assumptions, our scheme can achieve 0(n £ ) communication complexity for any e > 0, using [10]. 



• 



Our scheme achieves an information theoretic OT which is not based on any cryptographic assumptions 
(which is impossible in the traditional non-distributed model). 



• We also raise the question of repetition in (™) oblivious transfer, namely we consider a scenario where 
multiple executions of (™) oblivious transfer are necessary, using the same n secrets. We examine whether 
existing implementations for (™) oblivious transfer allow for repetitive use maintaining security and efficiency. 
Surprisingly, the answer is negative. 

Organization 

In section 2 we give preliminaries and definitions of the already existing and our new model of (™) OT. Then, 
in section 3, we present our implementation - the Random Pointer scheme - which guarantees information 
theoretic security for both parties while maintaining the communication complexity low. These properties 
are proven in section 4. In section 5, we outline possible generalizations. In section 6 we present the new open 
problem that deals with repetitive executions of (™) OT, and show how existing (™) OT implementations 
are not adequate for this purpose. 

2 Preliminaries and Definitions 

2.1 Oblivious Transfer 

Oblivious transfer comes in various forms, including "standard" OT, (-J OT, and (™) OT. These variants 
are all equivalent, in the sense that reductions among them exist ([8, 12]). In this paper, we are interested 
in (™) oblivious transfer, which is defined as follows. 

(?) Oblivious Transfer: This is an interactive protocol between two parties Alice and Bob. In this 
protocol, Alice has n secret bits Si, . . . , S n , and Bob has a selection index i £ {1, . . . , n). At the end of the 
protocol, the following three conditions hold. 

1. Bob learns the i'th secret Si. 

2. Bob gains no further information about the other secrets Sj for j ^ i. 

3. Alice learns nothing about the value of i. 

2.2 Distributed (?) Oblivious Transfer 



As described above, the model used in the traditional oblivious transfer consists of two parties, Alice and 
Bob. Alice has n secret bits and Bob has a query which is an index to one of those secrets. Implementations of 
traditional OT were shown using cryptographic assumptions (such as the existence of one way functions [14]), 
noisy channels [15, 16], or quantum computation [6]. The need to make some computational assumption is 
inherent in this model, because Alice has access to the complete transcript of the communication between 
her and Bob, and thus she can, information theoretically, determine exactly what Bob can infer about her 



data. Thus, this model does not allow us to implement an information theoretic protocol. We overcome this 
inherent problem by moving from the traditional model to a distributed one, as follows. 

In the distributed OT model, the secret holder Alice is distributed into multiple holders who do not 
communicate with each other. More formally: 

(") Distributed Oblivious Transfer: This is a protocol between k secret holders ( "Alices" ) A\ , . . . , A]. , 
holding n secret bits Si, . . . , S n , and one user Bob, holding a selection index i £ {1, . . . , n). The protocol is 
run in two stages: the setup stage, and the online stage. After the initial setup stage, no two Aj , A\, j ^ I 
are allowed to communicate with each other. 
At the end of the protocol, the following three conditions hold. 

1. Bob learns the i'th secret Si. 

2. Bob gains no further information about the other secrets Sj for j ^ i. 

3. Vj, Aj learns nothing about the value of i. 

This distributed model allows us to obtain the following properties: 

Information theoretic OT Each Alice on her own, without communicating with the other Alices, receives 
a view which is completely independent of Bob's query i. Thus, no individual Alice can gain any 
information about i. 

Note that this is impossible to achieve in the traditional OT model with a single Alice, since in this 
case Alice's view is the same as Bob's. 

Sublinear communication complexity The total amount of bits exchanged between all the Alices and 
Bob for one query is sublinear in n. 

All existing protocols in the traditional model fail to achieve this, because, since Bob's query is to 
remain secret, they are based on Alice sending to Bob information regarding all her secrets (in a way 
that will allow Bob to recover only one of them), and thus existing protocols require communication 
complexity which is at least linear in the number of secrets. 

Note that by information theoretic OT we do not mean that the parties should be computationally 
unlimited in order to correctly execute the protocol, but rather that the security of the protocol is information 
theoretical. That is, polynomial computation power suffices to use the protocol, but even if the other side 
has unlimited computational power, she will not be able to extract more information than she was supposed 
to. 

Within the distributed OT model, we implement a protocol which solves our goals mentioned above. 
This protocol uses private information retrieval (PIR) as a subprotocol. Since in this paper we present the 
problem in the context of oblivious transfer, where we have a secret holder (Alice) instead of a database as in 
the PIR scheme, for clarity we rename the PIR scheme to semi-oblivious transfer. In semi-oblivious transfer, 
we let go of the second condition in the definition of OT, allowing Bob to possibly get more information 
about the secrets other than Si'. 

(") Distributed Semi- Oblivious Transfer: This is a protocol between k secret holders ("Alices") 
Ai, . . . , Ak, holding n secret bits Si, . . . ,S n , and one user Bob, holding a selection index i £ {1, . . . , n) . The 
protocol is run in two stages: the setup stage, and the online stage. After the initial setup stage, no two 
A j , A\, j ^ I are allowed to communicate with each other. 
At the end of the protocol, the following two conditions hold. 

1. Bob learns the i'th secret Si. 

2. Vj, Aj learns nothing about the value of i. 

These definitions may be extended in the natural way to deal with longer secrets, consisting of / bits each. 
Notation: The communication complexity required for a (") semi-oblivious transfer protocol for /-bit 
secrets using k secret holders, is denoted by SOTk(l,n). 



2.3 Application: The Secure Database Access Problem 

We describe here an application of (™) oblivious transfer - the Secure Database Access problem, which is a 
direct application of (") OT for a polynomial n. In this problem, there is a user who wants to retrieve some 
information from a database. We assume the data is a string of n bits, and the user is interested in the i'th 
bit. The user wants to keep his interest i secret from the database, and the database does not want to give 
any additional information except one bit in a single location. At the end of the protocol, the user will have 
the i'th bit, but no other information about any other bit, and the database will have no information about 
i. 

Clearly, secure database access (where security of both the user and the database is considered) is 
equivalent to (") oblivious transfer, and thus any solution for the latter will automatically translate into a 
solution for the former. 

3 The Random Pointer Scheme 

In this section we present a scheme that achieves sublinear communication complexity and information 
theoretic security in the distributed (") oblivious transfer model. Our scheme uses any semi-oblivious scheme 
of k secret holders to obtain a distributed OT scheme with k + 2 secret holders, paying only a logarithmic 
factor in communication complexity. 

3.1 Overview 

We start by recalling that sublinear information-theoretical schemes for semi-oblivious transfer exist in a 
distributed model (using any private information retrieval scheme, such as [2, 11]). However, those schemes 
are only concerned with Bob's privacy, and not Alice's. That is, Bob can get more information about the 
secrets, in addition to just Si. Thus, in order to achieve privacy for both parties, we must prevent Bob from 
getting this extra information. 

We achieve this using the following idea: There are k + 2 secret holders: A\ , . . . , A^ , R\ , R 2 • Those secret 
holders are not allowed to communicate amongst themselves. R\ and R 2 each consist of a random string 
with an equal number of zeros and ones. A\, . . . , A^ contain the original data and a copy of R\ and R 2 . 
During the final stage of the protocol Bob asks R\ and R 2 for their values at indices j and 1, R\{j) and R 2 {1), 
respectively (where j and / are pointers to R's contents that Bob obtained by communicating with the Ais). 
Using the values of those pointers Bob can compute the value of his query 

Ri(j) ®R 2 (l) = Si (1) 

The values of these pointers are chosen by A in such a way that a pair of pointers only gives information 
about at most one secret bit. 

The rest of the interaction between Bob and Ai , . . . , A^ serves the purpose of allowing Bob to obtain an 
appropriate pair of indices (j, I) that satisfy (1), without revealing any information about his selection index 
i. This is done by running a distributed semi-oblivious transfer subprotocol in which A\, . . . , A^ use n pairs 
of the form (ji, li),(j 2 ,l 2 ), . . . , (jn, In) for the n secrets, and i as the selection index of Bob. 

Using this general paradigm, we need to carefully adjust the details of the protocol so that it indeed 
implements sublinear, information theoretical, distributed (") oblivious transfer. 

In order for Bob to receive the correct secret Si in (1), the pairs used as secrets in the subprotocol must 
satisfy 

RiUr) ® R2(lr) = S r Vr e {1, . . . , n} (2) 

These secrets cannot be chosen deterministically, because (ji,h) will be sent to R\ and R 2 respectively 
in the clear by Bob, so it should not reveal any information about his interest i. Thus, A\, . . . , A^ need to 
share some randomness (in our case, they share a few random permutations on n bits). 

Before turning to describing the details of the protocol, let us summarize the intuition behind this idea. 
Since the subprotocol that we want to use (semi-oblivious transfer) leaks excess information about A's 
secrets, we run the subprotocol with secrets that will not contain any useful information for Bob. In our 



case, these are the pairs of locations of the form (j r , l r ), which can be viewed as "pointers" to more useful 
information. These locations without the actual content of i?i,i?2 in these locations, give no information 
about the original secrets S\, . . . , S n . However, these locations together with the content of R\, R2 in these 
locations, give the original secrets, as implied by (2). Since Bob is allowed to get only one value from each of 
Ri and R2, we can prove that he does not get any information about the secrets, except for a single secret 
Si. In addition, privacy of Bob is still maintained, because he talks to A\, ..., A^ using SOT, and R\ and R2 
each get a uniformly distributed location. 

3.2 The Scheme 

This protocol is an interaction between Bob, holding a selection index i, and distributed holders A\, . . . , A^, 
Ri,R'2, where A\, . . . , A^ hold n secret bits Si, . . . , S n and Ri, R2 hold random bits (see below). It uses as 
a subprotocol, call it P, a semi-oblivious transfer scheme (equivalently, private information retrieval), for k 
distributed holders. P should actually be a semi-oblivious scheme that transfers secrets which are strings, 
rather than single bits. This can always be achieved by simply repeating a (single-bit) semi-oblivious scheme 
for every bit in the string, or by using a more efficient scheme, such as the one described in [11]. For efficiency 
reasons, we require the subprotocol to run in time sublinear in n. 

Initial Setup for the Secret Holders At this stage we describe what contents each party gets. 

• Ri consists of a random string, chosen uniformly from all strings of n bits, with equal number of O's 
and l's. 

• R2 consists of a random string, chosen uniformly from all strings of 2n bits, with equal number of O's 
and l's. 

• Ai, . . . , Ak each have the secrets Si, . . . , S n , the contents of i?i,i?2, and three random permutations 
7Ti, 7T2, 7i"2 : {1, . . . , n) — ► {1, . . . , n) . (The subscripts indicate whether the permutation will be used to 
find a location in Ri or R2, and the superscripts indicate the value of the bit that should be found in 
that location). 

We stress that Ri and R2 only need to contain a random string, and are not required to know the secrets of 
the protocol, or the random permutations which are shared by A\, . . . , A^. 

After the initial setup stage, once Bob steps into the picture, the secret holders are not allowed to 
communicate with each other. 

(?) Oblivious Transfer Protocol (on-line stage) 

• Bob chooses three random shifts si, s^, s\ £[/ {1, . . . , n) and sends them to each of A\, . . . , A]~. 

• Ai,...,A]~ each compute three new permutations (Ti,(t\,(t\, which are ^i,^\,^\ shifted by si,s\,s\ 
respectively. That is, Vr £ {1, . . . , n) , <Ji(r) = 7i"i(r) + si (mod n), and similarly for a\ and u\. 

• Ai, . . ., A k each compute n pairs (jiji), (J2,h), ■ ■ • , (jn,L) from a x ,a%,a\, {Si . . .,S„}, and the con- 
tent of Ri, R2, as follows: 

— j r = (T i( r ) f° r r = I, ■ ■ ■ ,n, hence all the j's are chosen completely randomly. 

— l r 's (r = 1, . . . , n) are chosen randomly so that the contents in the j locations and the / locations 
will xor to the secret bits. To do that, start by letting b = Ri(j r ) © S r and m = ^{r). Note that 
in order to satisfy (2) we need to choose l r such that i?2('r) = b. Thus, we let l r = the index of 
the m'th b in R2. That is, if b = we choose l r to be the index of the m'th in R2, and similarly 
for b = 1. (Note that R2 has 2n bits, consisting of n O's and n l's. Thus, for any b £ {0, 1} and 
m £ {1, . . . , n), l r is well defined). 

• Ai, . . . , Ak and Bob run the subprotocol P with (ji, li), (J2, I2), ■ ■ ■ , (jn, In) as the secrets, and i as the 
selection index of Bob. At the end of the subprotocol, Bob has the pair (j, I) = (ji, li). 

• Bob sends j to Ri, and I to R2. 

6 



• Ri sends Bob the bit Ri(j), and R2 sends to Bob R'zil). 

• Bob computes the exclusive-or of these two values, yielding Si = R\{j) © R r 2,{i)- 

The proofs for correctness, security, and efficiency properties of our protocol are presented in the next 
section. 

4 Analysis of the Random Pointer Scheme 

In this section we analyze the complexity and security of our protocol. In particular, we show that it achieves 
sublinear communication complexity, and that it satisfies the definition of distributed (") oblivious transfer, 
including correctness and information theoretic security for both parties. 

Assumption: In the analysis, we consider any user Bob which may be malicious and deviate from the 
protocol. As for the secret holders, we first make the usual assumption that they want to send the secret 
to Bob, so that they won't send junk instead of the real secrets 1 . However, if we limit ourselves to this 
assumption only, then if all of A\, . . . , A^ and one of the Rj collaborate during setup time, and deviate from 
the protocol during the online stage, then Rj can get information about Bob's query 2 . 

Thus, we need to make one of the following assumptions, in order to protect the privacy of Bob against the 
random holders i?i,i?2- Either assume that the secret holders are honest but curious, namely they follow 
the protocol, but may try to extract as much information as possible about the identity of Bob's query. 
Alternatively, we may make the assumption that the random holders (i?i,i?2) do not know the random 
permutations shared by Ai, . . . , A^. This assumption is satisfied if we require that i?i,i?2 do not get any 
communication from A\, . . . , A^ during the setup stage. Under this assumption, all the secret holders may 
be malicious, and deviate from the protocol. This assumption is reasonable, since we can think of i?i,i?2 
as auxiliary databases (consisting of a random string), provided by an independent source, such as a special 
server for this purpose (and they may be determined in advance, independent of the secrets, or chosen later, 
after the secret holders chose their permutations). Note that these random holders do not need to know 
anything about the secrets, and no communication from the secret holders to the random holders is required 
at any stage of the protocol. 

4.1 Correctness and Obliviousness 

Notation: Denote our scheme by RP (random pointer scheme). RPp will denote our random pointer 
scheme when used with the underlying semi oblivious transfer protocol P. 

The following three theorems establish the required properties to prove that our random pointer scheme 
satisfies the definitions of distributed oblivious transfer. Recall that the definition consists of three properties 
that must hold at the end of the execution: (1) Bob learns Si for his selection index i (correctness); (2) Bob 
gains no further information about the other secrets Sj for j ^ i (privacy of secret holders); and (3) Vj, Aj 
learns nothing about the value of i (privacy of recipient). 

Correctness 

Theorem 1 If P is a semi-oblivious transfer scheme, then RPp is correct, i.e if Bob follows the protocol 
with selection index i, the value he obtains at the last step is the secret Si. 

Proof: By reduction from the correctness of P, after running P with A\, . . .,Ak, Bob receives the pair 
(j,l) = (ji,h) corresponding to his selection index i. From the way / 8 - was constructed, it is a location in 
which R2 has the bit b = R\{j) © Si. Thus, R\{j) © -R2O = Si and Bob receives the correct secret Si. □ 



This is a common assumption in the OT model, and is quite natural, for example if we view the secret holders as a 
commercial database which sells data, and charges per query. 

For example, they could agree on a fixed permutations to use, ignoring Bob's shifts, and then when R 3 receives the user's 
query he knows which location it corresponds to, according to the fixed permutation. 



Privacy of secret holders 

Theorem 2 (informal statement) For any strategy Bob' (possibly cheating), if all holders follow the 
protocol, Bob' cannot get any information about more than one secret Si of his choice. 

To state the theorem formally and prove it, we define the view of Bob' (for any strategy Bob'), and prove 
that its distribution is independent of all but one secrets. 

Let Bob' be any strategy for the recipient. Bob' runs a semi-oblivious subprotocol P with A\, ..., A^ and 
the secrets (ji, li), . . . , (j n , l n ), at the end of which he receives (ji, li) and possibly additional information 
about these secrets which the subprotocol leaks. We assume a worst case in which Bob' receives the full 
information about all the secrets, namely he gets (ji, li), (J2, h), ■ ■ ■ , (jn, In), and we show that even in this 
worst case, Bob' cannot obtain any information about the real secrets Si, . . . , S n other than a single secret 
Si of his choice. 

Let V(j, 1) = [(ji, h), ■ ■ ■ , (jn, In), Ri(j), R2O)], y(j, is the view received by a Bob' who sends queries 
j, I to Ri,R'2 respectively. (This is the assumption mentioned above. In reality, the view of Bob' can be 
derived from V(j, I), but is possibly much smaller). Note that an honest Bob should set j = ji,l = li, but 
we allow a possibly cheating Bob', who may choose arbitrary j, I. 

Consider a partial view V~ = [(ji,h), . . . , (j n ,l n ), Ri(j)] where the last answer (from R2) is omitted. 
Let D be the domain of all possible partial views V~ . Thus, \D\ = 2n!( n ) . We will prove that the partial 
view V~ is uniformly distributed over D, and from this we will be able to prove that the distribution of the 
complete view V depends only on one secret. 

In what follows, the notation X ~ U[D] means that the random variable X is distributed uniformly over 
the domain D. 

Theorem 2 Vj, /, the distribution of V(j, I) may depend on at most one secret. More specifically, for any 
possible view V(j r , l r i) 6 D x {0, 1}, 



Prob[V(j r ,l r ,)] 




jjjj if Rl(jr) ® R2(lr<) = SV< 

otherwise 



where e = 1 if r = r' , and e = - z — 2 ( n -i) l f r ^ r ' 1 an d probabilities are taken over the choices of 

Note that from this theorem, if j, I correspond to a pair (j r ,l r ) (as in the honest Bob case), then the 
view provides complete information about S r (since e = 1, so S r = Ri(j r ) © R'zi^r)), whereas if j, I do not 
correspond to such a pair, only partial information about S r i is provided (since there is a positive probability 
for both S r i = and S r i = 1). 

In either case, the last two components of the view contain information about the secret S r i , but the 
view does not depend on any other secret. 

We proceed with a sequence of lemmas that will prove the theorem, by gradually adding components to 
the view, while maintaining its independence of all secrets except S r i . The first three lemmas will establish 
the uniform distribution of the V~ , and lemma 4 will complete the calculation for the last component in the 
view. 

Lemma 1 Vj, Ri(j) ~ C^[{0, 1}] (probability is taken over choice of Ri). 

Proof: Obvious, since Ri is chosen uniformly from all strings of length n with half 0's and half l's, and 
thus for any particular location j, Ri(j) is or 1 with equal probability. □ 

Lemma 2 Vj, [ji,...,j n \ Ri(j)] ~ U [all permutations on {l,...,n}] (probability is taken over choice of 
*i). 

Proof: Since 7Ti is a uniformly distributed permutation, so is <7i = tti + si, namely (ji, . . . , j n ) = 
(<7i(l), . . . , <Ti(n)) = (7Ti(l) + si, . . . , 7Ti(n) + si) is uniformly distributed over all permutations on {1, . . . , n) 
(recall that addition here is modulo n). 

This is true independent of Ri(j), and thus [ji, . . . , j n \ Ri(j)] = [ji, ■ ■ ■ , j n ] is also uniformly distributed. 

□ 



Lemma 3 Vj, [h, ■ ■ ■ ,l n \ Ri(j), ji, ■ ■ ■ , jn] ~ U over all sequences of n distinct locations in {l,...,2n} 
(probability is taken over choices of R\, R 2 , tt 2 , tt\). 

Proof: Given values Ri(j),ji, . . . ,j n , we want to prove that every sequence li,...,l n is equally likely 
(i.e. uniform distribution). Fix an arbitrary R\ with a suitable Ri(j). This defines a sequence of bits 
\b r = R\{r) © S r }" =1 . Then, for r£ {1, . . . , n), l r is chosen to be the index of the m r 'th bit with value b r in 
R 2 , where m r = cr 2 (r). Thus, for any particular sequence li, . . . ,l n , Prob[l\, . . . ,l n \ Ri, Ri(j), ji, ■ ■ ■ , jn] = 
Prober : R'zir) = b r A & 2 T (r) = m r if l r is the m r 'th bit with value b r in R 2 ]. This probability (for 
a fixed i?i) is taken over R 2 and 71 "2,^2- ^ i s n °t necessary to calculate the exact probability to see that 
it is the same for each sequence l\ , . . . , l n , since a 2 and a\ are both uniformly distributed permutations 
(because a\ = %\ + s 2 ) . We have some number k of restrictions on the values of a 2 and n — k restrictions 
on the values of a 2 , which yields a certain probability that these restrictions will be satisfied, regardless of 
the actual values l\, . . . , l n of the restrictions 3 . Thus for each sequence we have the same probability, and 
thus [/1, . . . , l n I Ri, Ri(j), ji, . . . , j n ] ~ U over all sequences of n distinct locations in {l,...,2n}. (where 
probability is taken over the choice of R 2 , it 2 , it 2 ). This is true for any fixed R\, and thus it is also true when 
Ri is chosen randomly. □ 



Lemma 4 Vj = j r , I = l r i , 

Prob[R 2 (l r >) = \Rl(jr),jl, ...,j n ,h,---,ln] 



2 ~ 2(n-l) if r 7^ r ' and Sr' = R\[ir] 
\ + 2(n-l) if r ^ r ' aIld Sr ' = ^1 [>] 

1 if r = r'and S r i = i?i[ir] 



if S r > = Rl[j r 



1 — e if S r i = R\[jr\ 



if r = r'and S r / = i?i[ir] 

where e = 1 if r = r' , and e = i — 2 f fi 1 _ii l f r ^ r ' '■ (probability is taken over choices of R\) 

Proof: Given Ri(j r ),ji, ■ ■ ■ ,jn, h, ■ ■ ■ Jn, from the way the / r 's were chosen, R'zilr') = Ri(jr') © S r / , and 
thus R'zilr') = <^=^ Ri(jr') = SV'. Therefore, 

Pro6[i2 2 ('r') = 1-RiOV), ji, • • -,j n ,h, ...,ln] = 

= Prob[Ri(j r >) = S r > \Ri(jr),ji, ...,j n ,h,---,ln] = Prob[Ri(j r >) = S r > \Rl(jr)] 

( (V) 

/ n -i\ if r 7^ r'and S r ' = Ri[jr] 

(h 



/„-r\ if r 7^ r'and S r i = Ri[j r ] 
1 if r = r'and S r / = i?i[j r ] 



if r = r'and S r / = i?i[j r ] 

For r = r' this is obvious. For r ^ r' this is true because R\ is a random string of length n with j O's and 2. 

l's. Given Ri[j r ], there are \Z ) possible strings for i?i, each equally probable. Out of those, the number 

2 

of possibilities where Ri[j r '] = S r i is ( n I ), if S r i = Ri[j r ], and («"-,) otherwise. 



For a direct calculation, it is not hard to check that the probability is 

(k) (n-k)\ k\ = 1 = 1 

( 2n \ n\ n\ ( 2n )n\ (2n)(2n - 1) . . . (2n - n) 

which is exactly the probability of uniformly selecting a sequence of n distinct locations in {1, . . . , 2n\, as needed. 



("i 2 ) U- 2 i) 

Now it is easy to verify that /„_i\ = 5 — 2 fa- 11 and /S-in = \ + 2 fa- 11 ; which completes the proof of 
the lemma. □ 
Proof of Theorem 2: Vj = j r , / = / r <, W" = [(ji,/i), . . . , (j„, l„), Ri(j r )], Vv = [v~ , R 2 (l r >)], 

Prob(v~) = Prob[Ri(i r )] ■ Prob[ji, . . . , j n \ Ri(j r )] ■ Prob[h, . . . ,l n \Ri(j r ),ji,...,j n ] = tj^ 

since by lemmas 1,2,3 all three terms in the product are uniformly distributed over their domain of possible 
values, and therefore V~ is uniformly distributed over its domain D. Now, from lemma 4 we have that 

( e if R 1 \j r ]®R 2 [l r <] = SV< 

Probyv \v \ = < 

I 1 — e otherwise 
Combining these equations, we get 

P Ml P U "I P U I "I \ W\ XRlUr)®R2(lr>) = S r . 

Prob[v\ = Probyv \ ■ Probyv \ v J = < ' ' 

I j^ry otherwise 

which completes the proof of the theorem. □ 

Privacy of recipient 

We prove that the RP scheme is private for Bob, provided that the secret holders follow the protocol (honest 
but curious). As explained in the beginning of the section, this assumption can be removed if R\, R 2 do not 
know the random permutations, and a similar proof will work for that case. 

Theorem 3 If P is a stmt- oblivious transfer scheme, then RPp is recipient-private, i.e. for any honest-but- 
curious strategies A[, . . . , A' k , R[, R' 2 , if Bob follows the protocol for a selection index i, no secret holder can 
get any information about i. 

Proof: For A' r , 1 < r < k, Bob's communication with A' r is identical to the communication in the underlying 
P, and therefore for these holders the theorem follows by reduction from the privacy of recipient for P. 
For R[, the only communication R[ gets is the index j = <T\{i) = ^i(i) + si(mod n). Since s\ is a random 
shift uniformly distributed in {1, . . . , n}, j is a uniformly distributed index in {1, . . . , n), independent of i. 
Thus, R[ cannot get any information about i. 

For R' 2 , the only communication R' 2 gets is the index /, which is the location of the m'th 6-bit in R 2 , where 
b = Ri(j) © S{, and m = cr\(i) = ir 2 (i) + s'fmod n). Since we showed above j is uniformly distributed, and 
since R\ has half O's and half l's, it follows that R\{j) £?/ {0, 1}, and therefore b Gy {0, 1}, independent 
of i. m is uniformly distributed in {1, . . . , n) by randomness of the shift s\, as above. We showed that b 
and m are both distributed independent of i, in fact uniformly, and thus / is also uniformly distributed (in 
{1, . . . , 2n}), independent of i. □ 

4.2 Complexity 

Space Complexity: R\,R 2 require O(n) space, and Ai, . . . , At, require 0(n log n) space. Specifically, 

Ri is a n-bit string 4 , R 2 is a 2n-bit string, and A\, . . . , A]~ each hold n secret bits, the same n + 2n bits as 
in Ri and R 2 , and 31ogn! < 3nlogn bits for the three permutations, for a total of 0(n log n) bits. 

Communication Complexity: Recall that SOTk(l, n) denotes the communication complexity required 

for a (") semi-oblivious transfer protocol for /-bit secrets using k secret holders. 



4 Even a slightly shorter log ( ^ J -bit string suffices, since we need to specify an ri-bit string with equal number of O's and l's. 
A similar observation holds for R2 . 
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Theorem 4 The random pointer scheme for k + 2 holders uses communication complexity of 0(k log n) + 
SOT k (2logn + l,n). 

Proof: The communication in this scheme consists of 3 log n bits sent by Bob in the first step to each of 
A\ , . . . , A]~ (indicating the three shifts s\, s^, s\), log n + log 2n bits sent by Bob in the last step to R\ and 
R2 (indicating the locations j, I respectively), their two answer bits, and the communication required by the 
underlying semi-oblivious protocol P for n secrets of length log n + log 2n = 2 log n + 1 each (recall that 
the secrets for the underlying subprotocol are of the form (ji,li), . . . , (j n , l n ) where j r , l r are location into 
n-bit and 2n-bit strings). Altogether, this gives (3k + 4)logn + 4 + SOTk(2 log n + l,n) = O(klogn) + 
SOT k (2logn + l,n). □ 

Corollary 1 Starting from any semi- oblivious protocol, protecting Bob only, an (™) oblivious transfer pro- 
tocol protecting both sides can be constructed, paying a logarithmic factor in communication complexity . 

Proof: Clearly, an SOT k (l,n) protocol can be implemented by executing an SOT k (l,n) protocol / times, 
considering each bit in the secret separately, one at a time 5 . Since in theorem 1 the dominating communi- 
cation complexity in the random pointer scheme is SOT k (2\ogn + 1, n), the corollary follows. □ 

We note that when a more efficient approach for SOT k (l,n) rather than the one bit at a time is pos- 
sible, it should be used to obtain further savings in communication. For example, [11] shows that when a 
semi-oblivious protocol satisfies a certain additivity condition on the reconstruction function for Bob, then 
SOTk(l, n) can be solved within / times the complexity of SOTk(l, j + 1) (see [11] for details). 

Using the best upper bounds known to date for semi-oblivious protocols, yields the following. 

Corollary 2 The random pointer scheme can be used with known subprotocols to achieve the following 
results: 



• 



• 



k + 2-holders scheme with communication complexity 0(n 2k - 1 logn), for every constant k. (Fork = 2 
this is 0(n~ logn),). 

A scheme for a logarithmic number of holders, with polylogarithmic communication complexity. 

A computational version (relying on the existence of one way functions) for a constant number of 
holders, with communication complexity of n c , for every e > 0. 



Proof: These results follow directly from combining the previous corollary with the known protocols of 
[11] for 2 databases, [2] for any constant number k of databases, [11] for logn + 1 databases, and the [10] 
computational protocol for 2 databases. □ 

5 Generalizations 

The random pointer scheme can be generalized to support more general variants of OT, such as privacy 
with respect to coalitions of secret holders, or oblivious transfer of secrets consisting of blocks of bits. In the 
following we show how an underlying SOT scheme P supporting the generalized variant, can be extended to 
a generalized OT scheme. 

5.1 Privacy With Respect to Coalitions 

So far we were concerned with the privacy of Bob with respect to each single holder (either an A or an 
R), assuming there is no communication between different holders. This protocol can be extended to allow 
privacy with respect to coalitions of up to t holders who may communicate with each other. We say that 
a distributed (") oblivious transfer scheme is t-private if no t holders together may obtain from their joint 
view any information about Bob's selection index i. Note that 1-private OT means the regular distributed 
(?) oblivious transfer as defined before. 



Note that here we need not worry about a cheating Bob who may ask for different bits from different secrets at each 
execution, since this is a semi-oblivious protocol, meaning we only care about Bob's privacy, and not Alice's. 
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The random pointer scheme as described above achieves only 1-privacy. There are three types of coalitions 
that could potentially violate the privacy of Bob, a coalition between the two R's, a coalition between the 
Alices, and a coalition between a combination of Alices and R's. 

In order to allow for coalitions of size t between the R's we increase the number of R's to be t + 1: 
R\, . . . , Rt corresponding to R\ in the original scheme, and R4+1 corresponding to R2 in the original scheme. 
This way any coalition of up to t random holders from R\, . . . , R4+1 is missing at least one random holder, 
and thus their view is uniformly distributed. 

In order to allow for coalitions of size t between the Alices we use an underlying SOT scheme which is 
t-private, such as the one suggested in [11]. 

In order to allow for coalitions of size t between A's and R's, we can extend the RP scheme to achieve 
t-privacy, by using the following idea: instead of having just one level of pointers from Alice to R, we propose 
to use t levels of pointers between Alice and R, such that at least t + 1 holders will have to form a coalition 
in order to gain some information about the Bob's query. Thus, if the 1-privacy scheme included k Alices 
and 2 R's, we now have a level of k Alices, a level of t + 1 R's, and between them we use t — 1 intermediate 
levels of secret holders called AR, where each level consists of k AR c s. Altogether we use kt + 1 + 1 holders, 
denoted as follows (next to each level of holders we denote the secret string associated with that level). 

Holders Secrets 

A 1 , . . . , A k , [S\, . . . , S n \ 



AR\, ..., AR\, [r2 



' 2nJ 



AR\, ..., AR\, [r* = r*,...,r*„] 

Ri, . . . , R t , Rt+i- 

S\, . . . , S n are the original secrets, and each r l is an independent random string of length 2n consisting of 
half O's and half l's. 

We denote the holders in the intermediate levels by AR because their role in the protocol is to play 
Alice's role (like in the RP scheme), but their content consists of random bits, and thus they can be viewed 
as random holders, and don't need to know the original secrets. 

The protocol follows the same idea as the basic RP scheme. Bob starts by running the SOT protocol P 
with the first level of holders, where the secrets used by the holders are pointers (indices) into the second 
level's secret string corresponding to the original secrets. Thus, Bob semi-obliviously receives a pointer i^ 
into r 2 that he is now interested in. He runs P again with the second level holders, using i^ as his selection 
index, and obtains a new index is into r 3 and so on. After t steps Bob has obtained a private index i t into 
r*. He now runs P with the holders at level t, to receive t + 1 pointers j\, . . . ,jt,jt+i into R\, . . . , Rt, Rt+i 
respectively. Now he can ask each random holder for the value in the corresponding location, and xor the 
values to obtain his answer. 

The pointers used by the holders as secrets are obtained in the same manner as in the original scheme, 
namely via random permutations that are shared between the holders in each level, and are used to calculate 
pointers with a suitable bit value into the next level's string. 

In order to make the above idea work, we need to make one additional modification. To see why, note 
that in the scheme described above, if one of the holders in level t communicates with one of the random 
holders, they can find out which bit in r* Bob was interested in. This gives away the value of the bit of Bob's 
interest (although not its index, since they don't know the mappings from {Si, . . . , S n } to the string r*). 

To solve this problem, before running P with a certain level /, Bob first sends a random bit 6; £ {0, 1} 
to all holders of that level. The holders xor all the secret bits with &;, and proceed as above. At the end of 
the protocol, Bob xors b\ © . . . © b t and all the bits he received from R\, . . . , Rt+i to obtain his desired bit. 

Now, any coalition of up to t holders from different levels cannot contain one holder from each level 
and a random holder (since this would consist of t + 1 holders), and thus cannot have all the permutations 
connecting the original secrets with the last level secrets and the location Bob has asked from the random 
holder, and thus cannot have any information about Bob's original interest. 
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5.2 OT of Blocks of Secrets 

Another possible generalization, is the transfer of block secrets consisting of / > 1 bits each. Note, that unlike 
semi-oblivious transfer, this cannot be done simply by running the original scheme for each bit 6 . A simple 
way to extend the RP scheme to block secrets, is to change R\ and R^ to consist of blocks of length /, so 
that Bob receives two indices of blocks in R\ and R2 such that the xor of the two is the secret. 

In order for the original protocol and proof to follow through in this setting, R\ should contain n /-bit 
blocks, chosen randomly so that each possible block appears the same number of times. R2 should contain 
n copies of each possible block, in random order, so it needs to have n2 l /-bit blocks. 

n 



6 Repetitive (^J Oblivious Transfer 



In the context of the Secure Database Access problem, repetitive executions of the Oblivious Transfer protocol 
are very desirable. By repetitive executions we mean that the protocol is used multiple times with the same 
secrets. In order to allow repetitions, two issues must be examined: 

Security: Executing the scheme k times will give Bob information about only k secrets of his choice, but 
no more than that, and will give Alice no information at all regarding Bob's choices of secrets. This 
extends the traditional definition of (") oblivious transfer which guarantees this for a single execution 
(k=l). 

Efficiency: Executing the scheme k times can be done in a reasonable complexity. In particular, we want 
to achieve secure repetitive (") oblivious transfer without recomputing the whole protocol from scratch 
with each execution of the protocol. 

For simplicity, we present repetitive oblivious transfer with respect to the standard model, with a single 
secret holder. It is easy to extend the notion to distributed repetitive oblivious transfer, similarly to our 
approach in the previous sections. 

Repetitive Oblivious Transfer: This is a protocol between Alice, who has n secret bits Si, . . . , S n , 
and Bob who has a selection index i G {l,...,n}. We break the protocol into a setup stage, and an on-line 
stage. We say that the protocol is secure for k repetitions, if after performing the setup stage once and the 
on-line stage k times, with selection indices ii, . . . , i^ respectively, the following three conditions hold. 

1. Bob learns the secrets at his selection indices, namely S% 1 , . . ., Si k . 

2. Bob gains no further information about the other secrets Sj , j (fi {ii, . . . , it,}- 

3. Alice learns nothing about the values of ii, . . . , i^. 

Clearly, for the repetitive scenario it is desirable to have as much of the work load as possible done during 
the setup stage, so that the on-line stage (which is the one being repeated) is as efficient as possible. 

We inspect existing protocols, and show that they are not secure even for 2 executions, unless all the 
setup (such as choosing a one way function, etc) is computed from scratch every time, which makes it too 
inefficient for repetitive applications. 

6.1 Open Question 

In our scheme, it is clear that if all random strings of the secret holders are chosen independently every time, 
then the scheme can be repeated without losing privacy. This may be a reasonable solution for constant 
number of repetitions (since several random strings can be generated in advance), or for computational 
security (using short pseudo random seeds). However, it is too expensive if we require a large number of 
repetitions and insist on information theoretic security. 

Other existing schemes also fail to solve this problem, as we show below. Thus, the problem of designing 
a repetitive (efficient) (") oblivious transfer protocol remains as an important and useful open problem, and 
we are currently working towards solutions in this directions. 

If we did this, Bob could ask for / different bits from different blocks, thus obtaining information dependent on more than 
one secret. 
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6.2 Problems with Repetition for Existing Protocols 

It is interesting to find out, that existing implementations of (") oblivious transfer are generally not satis- 
factory for applications that require repetitions. In this section we look at some of the existing schemes and 
their repetition security. 

6.2.1 Oblivious Transfer Based on any One Way Trapdoor Function 

A general (") oblivious transfer protocol based on any one way trapdoor function is described in [14]. In 
what follows we provide a brief sketch of the protocol, and show that it is not secure for repetitions. 

Sketch of Protocol: Alice and Bob agree on a one way trapdoor function /, and let B be a hard core 
predicate for /. Bob sends to Alice n numbers 2/1, . . . , y n , where the one at his selection index i is of the 
form yi = f(x) for a randomly chosen x, and the other n — 1 numbers are chosen randomly. Alice gets the 
list ?/i, . . . , y n and sends back Si © 5(/ _1 (2/i)), . . . , S n © -B(/ _1 (2/ n ))- Bob is able to find Si, which is the 
exclusive-or of two values he knows: -B(/ _1 (2A')) = B(x) and -B(/ _1 (2A')) © S{. Bob cannot find any other 
secret Sj for j ^ i, since it is masked by B(f~ 1 (yj) which Bob has no information about. 

Indeed, one application of the scheme gives Bob only one secret. However, applying the same scheme 
twice, gives Bob much more information than just 2 secrets (unless the one way function and hard core 
predicate are chosen afresh every single time). In fact, in two applications Bob can recover all the secrets, 
as follows. 

• First iteration of the scheme: Bob sends to Alice 

fix), 2/2, V3,---,y n 

for random x,y 2 , . . . , y n 

• Bob receives from Alice 

zi = Si ©£(£), z 2 =S 2 ®B(f- 1 (y 2 )), ..., z n =S n ®B(f- 1 (y n )) 

• Bob calculates Sj = z\ © B(x) 

• Second iteration of the scheme: Bob sends to Alice 

V2,---,y n , y 

for a random y' 

• Bob receives from Alice 

W! = Si © BCf- 1 ^)), • • • , Wn-l = S n -! © SCT^n)), W n = S n © Btf- 1 ^)) 

• Bob calculates 

S 2 = Z 2 © W! © Si, Si = Z 3 © W 2 © S 2 , ..., S n = Z n © W n _l © S n _l 



Bob has all n secrets 



now. 
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6.2.2 Oblivious Transfer Based on Quadratic Residuosity 

Brassard Crepeau and Robert [9] suggest a (™) oblivious transfer protocol based on the quadratic residuosity 
assumption (QR). This protocol has weaknesses in terms of repetition security, but it is much better than 
the previous one in this respect. 

Sketch of Protocol: Alice sends to Bob all secrets, encrypted (using QR). Bob selects the encrypted 
secret of his choice, and encrypts it again using his own key, and sends to Alice. Alice decrypts the value she 
had received, thus removing her encryption from it. The resulting value is sent to Bob, who can now remove 
his encryption from it as well, and get his desired secret. This idea as described above does not quite work 
yet, since Bob may get some other value (e.g. the xor of two secrets) rather than one of the secrets. To get 
around this problem, the protocol is modified such that Bob sends to Alice a value called a a— packet P a , 
together with a proof of validity for P a . (see [9] for details). 

The same P a may be used for repetitive applications of the scheme, achieving only partial security 
(e.g. Alice can tell whether Bob's questions (selection indices) are all different or not). Using a new P a for 
every repetition avoids this leakage of information, but considerably increases the on line stage complexity. 

6.2.3 Non Interactive Oblivious Transfer 

A different flavor of oblivious transfer was introduced by Bellare and Micali [5], where the goal is to eliminate 
interaction from the oblivious transfer protocol. Their non interactive protocol violates the definition of 
repetition security, since Bob can hold only one selection index i, and if the protocol is to be repeated, he 
will get the secret at the same location every single time. 

Sketch of Protocol: This protocol is based on the Diffie-Helman assumption. The idea is that Bob 
publishes a set of n public keys, such that he knows the discrete logarithm of exactly one of them (the 
protocol provides a way for Alice to make sure Bob cannot know the discrete logarithm of more than one 
of his public keys, relying on the Diffie-Hellman assumption). Now, to perform an oblivious transfer Alice 
sends the n secrets encrypted with the n public keys, and Bob can decrypt only the one corresponding to 
the public key whose discrete log he knows. 

Since the selection index of Bob is predetermined from the moment he publishes his public keys, it is 
clear that repeating the scheme k times, Bob will always have the same selection index (i.e. i\ = . . . = i^ in 
our definition of repetitive oblivious transfer), and the scheme is not secure for repetitions. 
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